US Authorities Seize $1m from BlackSuit Ransomware Group

In a significant law enforcement operation, the U.S. Department of Justice announced the seizure of cryptocurrency and server infrastructure associated with the BlackSuit ransomware group, also known as Royal. The operation, which occurred on July 24, 2025, was a coordinated effort involving multiple domestic and international agencies, including the FBI, the U.S. Secret Service, and counterparts from the U.K., Germany, Ireland, France, Canada, Ukraine, and Lithuania. The operation resulted in the confiscation of over $1 million in cryptocurrency, specifically $1,091,453, which was traced back to ransom payments made by victims. 'This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable,' stated a representative from the Department of Justice. The seized cryptocurrency was linked to a ransom payment made on April 4, 2023, when a victim paid 49.3 Bitcoin, valued at approximately $1.45 million at the time, in exchange for a decryptor. The BlackSuit group has been responsible for over 450 attacks against U.S. entities, particularly targeting critical infrastructure sectors such as healthcare and education, and has extorted more than $370 million since its inception in 2022.

The BlackSuit ransomware operates through a combination of phishing campaigns, exploitation of Remote Desktop Protocol (RDP), and leveraging vulnerabilities in outdated software systems. This multi-faceted attack approach enables lateral movement within victim networks, facilitating data exfiltration prior to encryption. Experts have noted that ransomware groups like BlackSuit often employ 'big-game hunting' tactics, targeting high-profile organizations to maximize ransom demands, which can range from $1 million to $10 million, with the largest known demand reaching $60 million.

The operation, referred to as 'Operation Checkmate,' not only dismantled the operational infrastructure of BlackSuit but also seized four servers and nine domains, crippling the group's ability to execute further attacks. Despite this disruption, cybersecurity analysts caution that the core operators of BlackSuit possess the expertise and resources to re-establish their operations under new identities. 'Without arrests, the operators behind BlackSuit still have the skills, infrastructure know-how, and hundreds of millions in funding to restart operations under a new name,' noted a cybersecurity analyst.

In response to the increasing threat posed by ransomware groups, experts recommend that organizations implement robust security measures, including regular software updates, employee training on phishing detection, and enhanced monitoring of network traffic to identify suspicious activities. 'Disrupting ransomware infrastructure is not only taking down servers – it’s dismantling the entire ecosystem that enables cyber criminals to operate with impunity,' added Michael Prado, deputy assistant director of the Cyber Crimes Center at Homeland Security Investigations.